DNS deluge for x.p.ctrc.cc

• Previous message (by thread): DNS deluge for x.p.ctrc.cc
• Next message (by thread): DNS deluge for x.p.ctrc.cc
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 25-Feb-2006, at 03:41, bmanning at vacation.karoshi.com wrote:

>> Limit UDP queries to 512 bytes.  This greatly decreases the
>> amplification affect, though it doesn't stop it.
>
> 	<limiting UDP to 512 has other, unwanted effects,
> 	 edns0 for one... crippling ENUM, DNSSEC, IPv6, etc...
> 	 is this really what is wanted?>

Expanding on this slightly, since I think this merits more discussion  
-- if there was widespread filtering of 53/udp packets to 512 bytes,  
I can see two consequences:

1. A temporary decrease in attack traffic: the malware authors will  
adapt, and the floods will continue except with smaller packets. For  
attacks launched from drones, the amplification arguably isn't as  
important to the attacker as it might be for attacks which have  
single sources.

2. In future, increased use of things like DNSSEC, dynamic updates  
and IPv6 (with attendant AAAA records) are going to make legitimate,  
EDNS0, large 53/udp packets more common, and crippling the transport  
for EDNS0 is going to cause migraines for helpdesks across the world.

As a temporary mitigation tool today, when the volume of legitimate,  
large-packet EDNS0 traffic is near-zero, blocking big 53/udp packets  
might *sound* reasonable. However, we all know how permanent  
temporary filters can be. Crippling EDNS0 transport in the future  
seems like a very high price to pay for what might be a very  
temporary, short-term reduction in attack traffic.


Joe

• Previous message (by thread): DNS deluge for x.p.ctrc.cc
• Next message (by thread): DNS deluge for x.p.ctrc.cc
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]